Super Easy, Barely an Inconvenience:
Preparing for your first PCI DSS 4.0 Assessment
Diving headfirst into any major project without some preparation is not for the faint of heart, and your first PCI DSS 4.0 Report on Compliance will be a major project. The result of not planning can turn into a mad dash to patch systems, gather evidence, and contact the right people. Schedules fall behind and costs get out of control. Let me help you avoid some of that trouble by offering some tips to help prepare for a less troublesome PCI experience.
Here are 10 steps you can take now to help prepare for your PCI DSS 4.0 assessment:
1. Get your team together
Your company’s first PCI DSS 4.0 assignment is likely to be a large project involving multiple departments. Make sure you communicate the importance of the assessment effort and have people available to participate in interviews, gather evidence, and remediate any gaps found along the way.
2. Roles and responsibilities
Along with getting your team ready, roles and responsibilities must be identified for all of the PCI DSS requirements. Depending on the size of your organization, this may be a big task.
3. Scope the environment
Determining the scope of your PCI DSS assessment early is critical for a good start. All systems and processes that store, process, or transmit cardholder data are evaluated for compliance. To accurately define your scope, start by identifying the flow of cardholder data within your organization. Map out every point where cardholder data enters your environment, how it moves through and is processed within your systems, and where it exits or is stored. Include any systems that connect to your cardholder data environment or can impact your cardholder data environment. The scoping exercise is a requirement that your company will need to perform at least yearly from now on.
4. Vendor Roundup
Your company may be using Third Party Service Providers (TPSP) to manage some or all of the payment, or IT functions. The TPSPs to focus on here are not only those that have access to the cardholder data environment but also those that manage in-scope systems or could impact security. This could include your MSP, Web Hosting Provider, Cloud Provider, and many others.
Make a list of your TPSPs, and gather all of their PCI compliance documentation such as AOCs, Responsibility Matrix, and any other documentation that states how the TPSP is managing security and compliance on your behalf.
5. Inventory
An accurate and thorough inventory of your systems should include details about the function and use. The inventory may include things you might not think of:
• Trusted Keys and Certificates
• Cryptographic Cypher Suites and Protocols
• Software, including custom, bespoke, and third-party applications.
• Media with cardholder data.
• All hardware including Workstations, Wireless Access Points, HSMs, and both physical and virtual components.
6. Watch out for End of Life
Any hardware or software that is out of date and can’t receive security updates or patches will be a problem. Suppose your company has a legacy system that can’t be updated because of some business constraint, a compensating control may be needed. Compensating controls need to be implemented and tested before the assessment begins. Discovering an out-of-date system during the assessment may cause a significant delay in the project and possibly non-compliance. If you plan to use a compensating control for a legacy system, check with your QSA company before the assessment begins for more guidance.
7. Penetration Tests
Internal and external penetration tests should be started early, preferably before the assessment begins. If the penetration tests are started late, and remediation is required, then the assessment may be delayed.
8. ASV Scans
Before PCI DSS 4.0, not all E-Commerce assessments required ASV scans, but now they do. SAQ A and SAQ A-EP will require ASV scans. The ASV scan must be a PASSING scan from an ASV company, so get started early to allow time for remediation of gaps that are found.
9. Policies and Procedures
Gather up your company’s relevant policies and procedures. Policies must be reviewed and updated annually, so make sure they are current. There needs to be a policy for every applicable PCI requirement. If your policies need work, reach out to your QSA company for help.
10. Look to the Future
Some new requirements in PCI DSS 4.0 are future-dated, taking effect in March of 2025. Don’t wait to start on these new requirements! Some of them will take a great deal of time to implement.
AccessIT Group can help prepare for the new requirements by providing a PCI DSS 4.0 workshop for your company. Planning for your 2024 and 2025 PCI assessments will save a lot of time.
By: Peter Thornton – Senior Security Consultant – CISSP | HCISPP | ISSMP | PMP | CISA | QSA